-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maintain tagging of networks in a list #16
Comments
Optional: In case where network range matches the IP, add the matching network range from the list to a new field. With translate filter I could do a lookup on the new field. |
That's a great idea, thanks for suggesting this! Is this something you'd be willing to tackle, and submit a PR? :-) Things to take into consideration:
The last two optionals can be skipped if you think this is getting too big. We can definitely move forward without them and consider them later, if needed. |
If you're interested in tackling this, I'll make sure to review your PR and help you along. If you can't tackle this, I'll add this to my list of things to do, but it may take a while before I have time to look into it. |
+1 for this feature.. |
Definitely interested in this feature and I've thought about two ways of thinking about implementing it, one likely much simpler than the other:
My only reticence for the second avenue is derived from the first suggestion, in that I'm not sure if this would be considered edging up on the responsibilities of other filters. |
If there is some form of compute operation used to match IPs in filters already, shouldn't it just be altered to accept CIDR notation? Such a new version would be backwards compatible with old configurations, although new configurations wouldn't work on old versions. |
+1 for this feature.. |
+1 |
+1 for this feature. |
+1. I'll start working on the PR in the coming days. My thought process is adding an option to include the matching network n as a user-configurable field. |
+1 for this feature. |
+11 |
If you're doing a large number of CIDR blocks at a high volume, your
approach is likely a more efficient one. We had to scale back our use of
the CIDR filter while we come up with a programmatic means of dynamically
generating the expanded set of IP addresses for a translate filter. We've
had success with using the translate filter with over 1 million entries in
the dictionary, but struggle with 400 CIDR blocks of various sizes.
------------------------------
Michael Kemmerer
…On Tue, Nov 19, 2019 at 6:46 PM dpresbit ***@***.***> wrote:
+11
Very much needed feature. No reason why the matching CIDR shouldn’t be
available.
Today I have to list every single IP in the network in a translate
dictionary file, then for a value list the CIDR block. Why do this when
CIDR lookup filter already does this work for us and could easily return
the CIDR on a successful match.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#16?email_source=notifications&email_token=ACN3A7MC5N5KYHVZQIMDK4LQUSQJVA5CNFSM4FFJ6BRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEQQCLA#issuecomment-555811116>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACN3A7IOW5YSGE7OXE3T4LTQUSQJVANCNFSM4FFJ6BRA>
.
|
One potential bottleneck that might be causing this is the fact we’re doing a dot product between the list of ips in the event and the list of ips indicated in the filter. Not sure how possible it is in Ruby, but would it be possible to turn that list in the filter into a dictionary/map/hash, so that containment operations become faster? |
I noticed this issue is pretty stale, but if there's still interest in this I made some code changes locally to this I could do a PR for which allows it to accept hashes and adds a few fields. |
Could you please do a PR or share your code with me. This is something I am still attempting to implement. |
I just did a commit to the branch had submitted for a PR, so you should be able to view the code from there. It should also be backwards compatible sense it passed all the build tests. Hopefully @magnusbaeck or someone else with permissions can review and accept. |
Any idea when your PR will be available? I can’t wait. |
Pull request is already submitted, if you're needing it quickly you can always try taking my fork and replacing the code in your local logstash instance |
Hi,
It means a lot of effort for tagging hundreds of network ranges within the cidr filter. It would be great to do that in the the list configured in network_path. Like the translate filter, it would be great to extend the cidr list with additional information, e.g.:
10.10.2.0 /24: network 2. floor
192.168.3.1/23: sales
10.40.23.0/24: guest wifi
... and so far.
So that I have to maintain only the list, if something changed.
The text was updated successfully, but these errors were encountered: